Microsoft 365 Training | Admin

Microsoft 365: Maintain data security of a terminated employee

For organizations using Microsoft 365, employee turnover can be a concern for both an HR manager and an IT admin. If you perform the offboarding procedure incorrectly, it can cause a data loss or data leak with unwanted consequences.

As your organization’s administrator, keep your organization’s Microsoft 365 data safe and secure when a user leaves by completing the following best practices:

Best Practices for Offboarding Employee

  1. Reset a user password

    The first thing you should do when an employee leaves the organization is change their Microsoft 365 password. Resetting the password instead of just blocking the user sign-in is preferred because the latter can take up to 24 hours. In the 24-hour time window, an employee potentially can hard-delete or download confidential information. Resetting a password takes effect immediately.

  2. Block user from Microsoft 365

    After you reset the password, make sure the former employee won’t be able to reset it themselves in the future and block them from signing in to their Microsoft 365 account. Blocking an account can take up to 24 hours to take effect.

  3. Block access to Exchange Online

    Sign in to the Exchange admin center and follow these steps to block your former employee from accessing their email through non-browser clients.

  4. Set up mail forwarding or convert to Shared mailbox

    Before you delete the ex-employee account, create an alias, or notify their email contacts that they’re no longer available, you should set up email forwarding or create a shared mailbox. By doing so, you preserve all the important connections for future use. It enables business partners and clients can continue contacting your company using a former employee’s old email address.

    Note: after you remove the license and/or delete the account, these options won’t work.

  5. Preserve data

    You most likely need to preserve business-critical ex-employee’s data like email, SharePoint and OneDrive files for compliance, legal, or business continuity reasons. Maintaining a licensed account is possible, yet it costs money. Archiving is the way to preserve data without paying a monthly license fee.

  6. Wipe and block mobile devices

    If the employee leaving the company had been using personal devices to access corporate data, you need to disconnect it by enforcing your corporate MDM/BYOD policies and procedures.

  7. Add an alias to another account

    The best way to preserve a former employee’s email address, without maintaining their licensed account, is to create an email alias. An alias is an additional email address for an existing account and associated cloud storage. Note that a user can be assigned with more than one alias.

  8. Give another employee access to OneDrive and Outlook data

    If you remove a user’s license but don’t delete the account, you can give yourself access to the content in the user’s OneDrive. If you delete the user’s account, you have 30 days by default to access the former user’s OneDrive data.

  9. Remove the license and reassign or delete it

    When you have performed all the steps above, it’s time to figure out what to do with the former employee’s Microsoft license. If you don’t want to pay for a license after someone leaves your organization, you need to remove their Microsoft 365 license and then delete it from your subscription.

  10. Delete the user account

    After you’ve saved and accessed all the former employee’s user data, some organizations choose to delete the former employee’s account.

    Important:

    • Check with your legal and/or HR department to ensure deleting an account is allowed under your compliance and retention policies.
    • Don’t delete the account if you’ve set up email forwarding or converted it to a shared mailbox. Both need the account to anchor the forwarding or shared mailbox.